Int250 - Digital Evidence Analysis 1

Lovely Professional University, Punjab
Course Code Course Title Lectures Tutorials Practicals Credits Course Planner
INT250 DIGITAL EVIDENCE ANALYSIS 2 0 2 3 27728::Chavi Kapoor
Course Weightage ATT: 5 CA: 25 MTT: 20 ETT: 50
Course Outcomes :Through this course students should be able to
CO1 :: describe the fundamentals of incident response handling process.

CO2 :: discuss the methodology of detecting an incident and responding to it in case of a security breach.
CO3 :: examine the process of live data collection and forensic duplication during forensic investigations.
CO4 :: outline the network and host-based evidence collection during the evidence handling process.
CO5 :: classify various data analysis techniques for network and system evidence data.
CO6 :: evaluate the process of extracting critical data from windows systems and routers
TextBooks ( T )
Sr No Title Author Publisher Name
T-1 DIGITAL FORENSICS AND GERARD JOHANSEN PACKT PUBLISHING
INCIDENT RESPONSE
Reference Books ( R )
Sr No Title Author Publisher Name
R-1 INCIDENT RESPONSE & JASON LUTTGENS, Mc Graw Hill Education
COMPUTER FORENSICS MATTHEW PEPE AND
KEVIN MANDIA
Relevant Websites ( RW )
Sr No (Web address) (only if relevant to the course) Salient Features
RW-1 http://searchsecurity.techtarget.com/definition/incident-response Incident response
Audio Visual Aids ( AV )

Sr No (AV aids) (only if relevant to the course) Salient Features
AV-1 https://www.youtube.com/watch?v=PhROeWMPBqU Incident response plan
AV-2 https://www.youtube.com/watch?v=VTOoKBJX1Gs Basics of incident response
AV-3 https://www.youtube.com/watch?v=C-0JD1Fwk7U Advanced incident response and threat hunting
An instruction plan is only a tentative plan. The teacher may make some changes in his/her teaching plan. The students are advised to use syllabus for preparation of all examinations. The students are expected to keep themselves
updated on the contemporary issues related to the course. Upto 20% of the questions in any examination/Academic tasks can be asked from such issues even if not explicitly mentioned in the instruction plan.
AV-4 https://www.youtube.com/watch?v=Xw536W7kbDQ Event log analysis
AV-5 https://www.youtube.com/watch?v=wsgvY_jlQuk Live data collection
AV-6 https://www.youtube.com/watch?v=fEip9gl2MTA Live forensics and memory analysis
AV-7 https://www.youtube.com/watch?v=F3iZeKC1ePg Forensic duplication
AV-8 https://www.youtube.com/watch?v=yGcSIZGakRM Forensic duplication extended
AV-9 https://www.youtube.com/watch?v=A1ueA1GDb9g Network evidence
AV-10 https://www.youtube.com/watch?v=2srNhY29k1s Evidence analysis and handling
AV-11 https://www.youtube.com/watch?v=HDKXQaFVdDo Investigating windows systems
AV-12 https://www.youtube.com/watch?v=a4dwypa12c4 Forensic report writing
LTP week distribution: (LTP Weeks)

Weeks before MTE 7
Weeks After MTE 7
Spill Over (Lecture) 4
Detailed Plan For Lectures

Week Lecture Broad Topic(Sub Topic) Chapters/Sections of Other Readings, Lecture Description Learning Outcomes Pedagogical Tool Live Examples
Number Number Text/reference Relevant Websites, Demonstration/
books Audio Visual Aids, Case Study /
software and Virtual Images /
Labs animation / ppt
etc. Planned
Week 1 Lecture 1 Introduction to Incident R-1 AV-2 L0: Introductory lecture Student shall learn Discussion
Response(What is computer to the course, WHAT IS the basics of incident
security incident?) A COMPUTER Response
SECURITY
INCIDENT?, WHAT
ARE THE GOALS OF
INCIDENT
RESPONSE?, WHO IS
INVOLVED IN THE
INCIDENT RESPONSE
PROCESS?
Week 1 Lecture 1 Introduction to Incident R-1 AV-2 L0: Introductory lecture Student shall learn Discussion
Response(What are goals of to the course, WHAT IS the basics of incident
incident A COMPUTER Response
response?) SECURITY
INCIDENT?, WHAT
ARE THE GOALS OF
INCIDENT
RESPONSE?, WHO IS
INVOLVED IN THE
INCIDENT RESPONSE
PROCESS?
Introduction to Incident R-1 AV-2 L0: Introductory lecture Student shall learn Discussion
Response(Who is involved to the course, WHAT IS the basics of incident
in incident response A COMPUTER Response
process?) SECURITY
INCIDENT?, WHAT
ARE THE GOALS OF
INCIDENT
RESPONSE?, WHO IS
INVOLVED IN THE
INCIDENT RESPONSE
PROCESS?
Introduction to Incident R-1 RW-1 Pre-Incident Student shall Discussion
Response(Incident response Preparation, Detection understand the
methodology) of Incidents, Initial methodology of
Response, incident response
Lecture 2 Introduction to Incident R-1 RW-1 Considering the Totality Student shall Discussion, Case
Response(Formulate a of the Circumstances, understand the Study
response strategy) Considering Appropriate methodology of
Responses, Taking incident response
Action
Introduction to Incident R-1 RW-1 Data Collection, Student shall Discussion, Case
Response(Investigate the Forensic Analysis, understand the Study
incident) Reporting, Resolution methodology of
incident response
Response(Reporting) Forensic Analysis, understand the Study
Reporting, Resolution methodology of
incident response
Response(Resolution) Forensic Analysis, understand the Study
Reporting, Resolution methodology of
incident response
Week 2 Lecture 3 Introduction to Incident T-1 RW-1 The incident response Student shall learn Discussion
Response(The incident charter, CSIRT core the technicalities of
response framework) team, Technical support incident response
personnel, framework and the
Organizational support members of incident
personnel, External response team
resources
Introduction to Incident T-1 RW-1 The incident response Student shall learn Discussion
Response(CSIRT) AV-3 charter, CSIRT core the technicalities of
team, Technical support incident response
personnel, framework and the
Organizational support members of incident
personnel, External response team
resources
Introduction to Incident T-1 AV-1 The incident response Student shall learn Discussion, brain
Response(Incident response AV-3 plan, Incident the details of an storming
plan) classification incident response
plan and incident
classification
Introduction to Incident T-1 AV-1 The incident response Student shall learn Discussion, brain
Response(Incident AV-3 plan, Incident the details of an storming
classification) classification incident response
plan and incident
classification
Lecture 4 Introduction to Incident T-1 AV-3 The incident response Student shall learn Discussion Identifying an
Response(Incident response playbook, Escalation the incident response incident out of
playbook) procedures, Maintaining escalation procedures system
the incident response anomalies
capability
Introduction to Incident T-1 AV-3 The incident response Student shall learn Discussion Identifying an
Response(Escalation playbook, Escalation the incident response incident out of
procedures) procedures, Maintaining escalation procedures system
capability
Introduction to Incident T-1 AV-3 The incident response Student shall learn Discussion Identifying an
Response(Maintaining playbook, Escalation the incident response incident out of
incident response capability) procedures, Maintaining escalation procedures system
capability
Week 3 Lecture 5 Preparing for Incident R-1 AV-3 Overview of pre- Student shall learn to discussion, case
Response(Overview of incident preparation, prepare for an study
incident response Identifying risk incident response
preparation)
Week 3 Lecture 5 Preparing for Incident R-1 AV-3 Overview of pre- Student shall learn to discussion, case
Response(Identifying risks) incident preparation, prepare for an study
Identifying risk incident response
Preparing for Incident R-1 Recording Student shall learn to discussion, case Md5sum for
Response(Preparing Cryptographic record information study integrity check
individual hosts) Checksums of Critical from hosts
Files, Configuring
Windows Logging,
Configuring Application
Logging, Building Up
Your Host’s Defenses,
Backing Up Critical
Data, Educating Your
Users about Host-Based
Security
Lecture 6 Preparing for Incident R-1 Installing Firewalls and Student shall learn to discussion implementing
Response(Preparing a Intrusion Detection know how to prepare firewalls and
network) Systems, Creating a a network for IDS in network
Network Topology forensics
Conducive to
Monitoring, Encrypting
Network Traffic
Week 4 Lecture 7 Test 1
Lecture 8 Preparing for Incident R-1 AV-3 Determining Your Student shall learn to Discussion
Response(Establishing Response Stance, establish policies and
appropriate policies and Understanding How procedures for
procedures) Policies Can Aid incident response
Investigative Steps
Preparing for Incident R-1 AV-3 The Response Student shall learn to Discussion FBI Toolkit
Response(Creating a Hardware, The create an incident
response toolkit) Response Software, The response toolkit
Networking Monitoring
Platform,
Documentation,
Deciding on the Team’s
Mission, Training the
Team
Week 4 Lecture 8 Preparing for Incident R-1 AV-3 The Response Student shall learn to Discussion
Response(Establishing an Hardware, The create an incident
incident response team) Response Software, The response toolkit
Networking Monitoring
Platform,
Documentation,
Deciding on the Team’s
Mission, Training the
Team
Week 5 Lecture 9 After detecting an Incident R-1 AV-3 Obtaining Preliminary Student shall learn to Discussion
(Overview of initial Information, record the details of
response phase) Establishing an incident an incident
notification procedure
After detecting an Incident R-1 AV-3 Obtaining Preliminary Student shall learn to Discussion
(Establishing an incident Information, record the details of
notification procedure) Establishing an incident an incident
After detecting an Incident R-1 AV-3 Obtaining Preliminary Student shall learn to Discussion
(Recording details after Information, record the details of
initial detection) Establishing an incident an incident
After detecting an Incident R-1 AV-3 Incident declaration, Student shall learn to Discussion
(Incident declaration) Determining Escalation declare an incident
Procedures, and gather incident
Implementing response team
Notification Procedures,
Scoping an Incident and
Assembling the
Appropriate Resources
After detecting an Incident R-1 AV-3 Incident declaration, Student shall learn to Discussion
(Assembling the CSIRT) Determining Escalation declare an incident
Procedures, and gather incident
Implementing response team
Notification Procedures,
Scoping an Incident and
Assembling the
Appropriate Resources
Week 5 Lecture 10 After detecting an Incident T-1 AV-3 Performing traditional Student shall learn to Discussion, case Forensic
(Performing traditional investigative steps, perform traditional study investigations
investigative steps) Getting Contact investigations
Information,
Interviewing System
Administrators,
Interviewing Managers,
Interviewing End Users
After detecting an Incident T-1 AV-3 Performing traditional Student shall learn to Discussion, case Forensic
(Conducting interviews) investigative steps, perform traditional study investigations
Getting Contact investigations
Information,
Interviewing System
Administrators,
Interviewing Managers,
Interviewing End Users
After detecting an Incident T-1 Response Strategy Student shall learn to Discussion
(Formulating a response Considerations, Policy formulate an incident
strategy.) Verification response strategy
Week 6 Lecture 11 Live data collection R-1 AV-5 Gathering the Tools, Student shall learn to Live data capture Netcat, cryptcat
(Creating a response toolkit) Preparing the Toolkit, record live data from using tools
Transferring Data with systems
netcat, Encrypting Data
with cryptcat
Live data collection(Storing R-1 AV-5 Gathering the Tools, Student shall learn to Live data capture Netcat, cryptcat
information obtained during Preparing the Toolkit, record live data from using tools
initial response) Transferring Data with systems
netcat, Encrypting Data
with cryptcat
Live data collection R-1 AV-6 Organizing and Student shall learn to Practical Process
(Obtaining volatile data) Documenting Your record live data from demonstration monitoring tools
Investigation, Collecting systems
Volatile Data
Lecture 12 Live data collection T-1 AV-6 Collecting the Most Student shall learn to Practical RAM Dump
(Performing in-depth live Volatile Data, Creating record live data from demonstration
response) an In-Depth Response systems
Toolkit, Collecting Live
Response Data
Live data collection(Is T-1 AV-6 Collecting the Most Student shall learn to Practical RAM Dump
forensic duplication Volatile Data, Creating record live data from demonstration
necessary?) an In-Depth Response systems
Toolkit, Collecting Live
Response Data
Week 7 Lecture 13 Forensic duplication T-1 What Is a Forensic Student shall learn Discussion DD
(Forensic duplicates as Duplicate?, What Is a the basics of forensic
admissible evidence) Qualified Forensic duplication
Duplicate?, What Is a
Restored Image?, What
Is a Mirror Image?,
Forensic duplicate tools
requirement
Forensic duplication T-1 What Is a Forensic Student shall learn Discussion DD
(Forensic duplication tool Duplicate?, What Is a the basics of forensic
requirement) Qualified Forensic duplication
Duplicate?, What Is a
Restored Image?, What
Is a Mirror Image?,
Forensic duplicate tools
requirement
Forensic duplication T-1 AV-7 Duplicating with dd and Student shall learn to Practical ODD
(Creating a forensic AV-8 dcfldd, Duplicating with duplicate hard drives demonstration
duplicate of a hard drive) the Open Data
Duplicator (ODD)
Forensic duplication T-1 AV-7 Creating a Boot Disk, Student shall learn to Practical Encase
(Creating a qualified AV-8 Creating a Qualified create forensic Demonstration
forensic duplicate of hard Forensic Duplicate with duplicate of hard
drive.) SafeBack, Creating a disks
Qualified Forensic
Duplicate with EnCase
SPILL OVER
Week 7 Lecture 14 Spill Over
MID-TERM
Week 8 Lecture 15 Collecting network based R-1 AV-9 What is network based Student shall learn Discussion
Evidence(What is network evidence?, goals of the importance of
based evidence?) network monitoring, network monitoring
Event Monitoring, Trap- in forensics
and-Trace Monitoring,
Full-Content
Monitoring
Collecting network based R-1 AV-9 What is network based Student shall learn Discussion
Evidence(Goals of network evidence?, goals of the importance of
monitoring) network monitoring, network monitoring
Full-Content
Monitoring
Week 8 Lecture 15 Collecting network based R-1 AV-9 What is network based Student shall learn Discussion
Evidence(Types of network evidence?, goals of the importance of
monitoring) network monitoring, network monitoring
Full-Content
Monitoring
Collecting network based R-1 AV-9 Determining Your Student shall learn to Practical
Evidence(Setting up a Goals, Choosing setup a network demonstration
network monitoring system) Appropriate Hardware, monitoring system
Choosing Appropriate
Software, Deploying the
Network Monitor,
Evaluating Your
Network Monitor
Lecture 16 Collecting network based T-1 AV-9 Initiating a Trap-and- Student shall learn to practical
Evidence(Performing a trap Trace with tcpdump, capture and analyse demonstration
and trace) Performing a Trap-and- network traffic
Trace with WinDump,
Filtering Full-Content
Data, Maintaining Your
Full-Content Data Files
Collecting network based T-1 AV-9 Initiating a Trap-and- Student shall learn to practical
Evidence(Using TCPDUMP Trace with tcpdump, capture and analyse demonstration
for full-context monitoring) Performing a Trap-and- network traffic
Trace with WinDump,
Collecting network based T-1 AV-9 Initiating a Trap-and- Student shall learn to practical
Evidence(Collecting Trace with tcpdump, capture and analyse demonstration
network based log files) Performing a Trap-and- network traffic
Trace with WinDump,
Week 9 Lecture 17 Acquiring host-based T-1 AV-10 Preparation, Evidence Student shall learn to Discussion
Evidence(Preparation) volatility, Evidence collect and acquire
acquisition evidence
Acquiring host-based T-1 AV-10 Preparation, Evidence Student shall learn to Discussion
Evidence(Evidence volatility, Evidence collect and acquire
volatility) acquisition evidence
acquisition) acquisition evidence
Week 9 Lecture 17 Acquiring host-based T-1 AV-10 Preparation, Evidence Student shall learn to Discussion
collection procedures) acquisition evidence
Evidence(Memory volatility, Evidence collect and acquire
acquisition) acquisition evidence
Acquiring host-based T-1 Preparation, Evidence Student shall learn to Discussion

Evidence(Local acquisition) volatility, Evidence collect and acquire
acquisition evidence
Lecture 18 Acquiring host-based T-1 AV-10 Remote acquisition, Student shall learn Practical
Evidence(Remote Virtual machines, Non- data remotely demonstration
acquisition) volatile data
Acquiring host-based T-1 AV-10 Remote acquisition, Student shall learn Practical
Evidence(Virtual machines) Virtual machines, Non- data remotely demonstration
volatile data
Acquiring host-based T-1 AV-10 Remote acquisition, Student shall learn Practical
Evidence(Non-volatile data) Virtual machines, Non- data remotely demonstration
volatile data
Week 10 Lecture 19 Evidence handling(What is T-1 AV-10 The Best Evidence Rule, Student shall learn Discussion
evidence?) Original Evidence, the procedures to
Authentication of handle evidences
Evidence, Chain of
Custody, Evidence
Validation
Evidence handling T-1 AV-10 The Best Evidence Rule, Student shall learn Discussion
(Challenges of evidence Original Evidence, the procedures to
handling) Authentication of handle evidences
Evidence, Chain of
Custody, Evidence
Validation
Evidence handling T-1 AV-10 The Best Evidence Rule, Student shall learn Discussion
(Overview of evidence Original Evidence, the procedures to
handling procedures) Authentication of handle evidences
Evidence, Chain of
Custody, Evidence
Validation
Lecture 20 Test 2
Week 11 Lecture 21 Data analysis techniques R-1 Preparation for forensic Student shall learn Practical Safeback
(Preparation for forensic analysis, Restoring a forensic duplication demonstration
analysis) Forensic Duplication of
a Hard Disk, Restoring a
Qualified Forensic
Duplication of a Hard
Disk
Week 11 Lecture 21 Data analysis techniques R-1 Preparation for forensic Student shall learn Practical Safeback
(Restoring a forensic analysis, Restoring a forensic duplication demonstration
duplicate) Forensic Duplication of
a Hard Disk, Restoring a
Qualified Forensic
Duplication of a Hard
Disk
Data analysis techniques R-1 Restoring an EnCase Student shall learn to Practical FTK, Encaase
(Restoring a qualified Evidence File, Restoring handle forensic demonstration
forensic duplicate of a hard a SafeBack Evidence image files
disk) File, Reviewing
Forensic Duplicates in
EnCase, Reviewing
the Forensic Toolkit,
Converting a qualified
forensic duplicate to a
forensic duplicate
Data analysis techniques R-1 Restoring an EnCase Student shall learn to Practical FTK,Encase
(Reviewing image files with Evidence File, Restoring handle forensic demonstration
forensic suites) a SafeBack Evidence image files
File, Reviewing
EnCase, Reviewing
forensic duplicate
Data analysis techniques R-1 Restoring an EnCase Student shall learn to Practical FTK, Encase
(Converting a qualified Evidence File, Restoring handle forensic demonstration
forensic duplicate to a a SafeBack Evidence image files
forensic duplicate) File, Reviewing
EnCase, Reviewing
forensic duplicate
Week 11 Lecture 22 Data analysis techniques R-1 Using Windows-Based Student shall learn to Practical Autopsy,
(Recovering deleted files on Tools To Recover Files recover deleted files demonstration Fatback
windows systems) on FAT File Systems, from systems
Using FatBack to
Recover Deleted Files,
Using TASK to Recover
Deleted Files, Running
Autopsy as a GUI for
File Recovery, Using
Foremost to Recover
Lost Files
Data analysis techniques R-1 AV-10 Using Windows-Based Student shall learn to Practical
(Recovering unallocated Tools To Recover Files recover deleted files demonstration
space) on FAT File Systems, from systems
Using FatBack to
Recover Deleted Files,
Using TASK to Recover
Deleted Files, Running
Autopsy as a GUI for
File Recovery, Using
Foremost to Recover
Lost Files
Data analysis techniques R-1 Slack Space and Student shall learn to Practical
(Free space and slack space) Unallocated Space, manage storage space demonstration
Listing File Metadata, on computer systems
Identifying Known
System Files
Data analysis techniques R-1 Slack Space and Student shall learn to Practical
(Generating files list) Unallocated Space, manage storage space demonstration
Listing File Metadata, on computer systems
Identifying Known
System Files
Data analysis techniques R-1 Performing String Student shall learn to Practical Autopsy, Encase
(Preparing a drive for string Searches, Performing search files from a demonstration
searches) String Searches with large storage
EnCase, Performing
String Searches Using
Task and Autopsy
Week 12 Lecture 23 Analysing system memory T-1 AV-10 Memory evidence Student shall learn Practical
(Memory evidence overview, Memory memory analysis demonstration
overview) analysis methodology,
SANS six-part
methodology, Network
connections
methodology, Redline,
Volatility
Week 12 Lecture 23 Analysing system memory T-1 AV-10 Memory evidence Student shall learn Practical
(Memory analysis) overview, Memory memory analysis demonstration
analysis methodology,
SANS six-part
connections
Volatility
Analysing system memory T-1 AV-10 Memory evidence Student shall learn Practical
(Tools) overview, Memory memory analysis demonstration
analysis methodology,
SANS six-part
connections
Volatility
Lecture 24 Test 3
Week 13 Lecture 25 Network evidence analysis T-1 Wireshark, CapAnalysis Student shall learn to Practical Wireshark,
(Analyzing packet captures) capture and analyse demonstration Capanalysis
network traffic
Network evidence analysis T-1 Wireshark, CapAnalysis Student shall learn to Practical Wireshark,
(Command line tools) capture and analyse demonstration Capanalysis
network traffic
Network evidence analysis T-1 AV-4 Analyzing network log Student shall learn to Discussion
(Wireshark) files, DNS blacklists, analyse network log
SIEM, ELK Stack files
(Xplico and CapAnalysis) files, DNS blacklists, analyse network log
(Analyzing network log files, DNS blacklists, analyse network log
files) SIEM, ELK Stack files
(DNS blacklists) files, DNS blacklists, analyse network log
(SIEM) files, DNS blacklists, analyse network log
(ELK stack) files, DNS blacklists, analyse network log
Week 13 Lecture 26 Investigating windows R-1 AV-11 Where evidence resides Student shall learn to Practical
systems(Where evidence on windows systems, identify evidences on demonstration
resides on windows systems) Conducting a windows windows systems
investigation,
Reviewing All Pertinent
Logs, Event Log
Dumps, Performing
Keyword Searches,
Reviewing Relevant
Files
Investigating windows R-1 AV-11 Where evidence resides Student shall learn to Practical
systems(Conducting a on windows systems, identify evidences on demonstration
windows investigation) Conducting a windows windows systems
investigation,
Reviewing All Pertinent
Logs, Event Log
Dumps, Performing
Keyword Searches,
Reviewing Relevant
Files
Investigating windows R-1 Identifying Rogue Student shall learn to Discussion
systems(Identifying Processes, Looking for identify unauthorized
unauthorized user accounts Unusual or Hidden users and groups
or groups) Files, Checking for
Unauthorized Access
Points, Examining Jobs
Run by the Scheduler
Service
Investigating windows R-1 File auditing and theft Student shall learn Practical
systems(File auditing and of file auditing demonstration
theft of information) information, Handling
the departed employee
Investigating windows R-1 File auditing and theft Student shall learn Discussion
systems(Handle the of file auditing
departing employee) information, Handling
the departed employee
Week 14 Lecture 27 Investigating routers R-1 Establishing a Router Student shall learn Practical
(Obtaining volatile data Connection, Recording router forensic Demonstration
prior to powering down) System Time,
Determining Who Is
Logged On,
Determining the
Router’s Uptime,
Determining Listening
Sockets, Saving the
Router Configuration,
Reviewing the Routing
Table, Checking
Interface
Configurations, Viewing
the ARP Cache
Investigating routers R-1 Establishing a Router Student shall learn Practical

(Finding the proof) Connection, Recording router forensic Demonstration
System Time,
Determining Who Is
Logged On,
Determining the
Router’s Uptime,
Determining Listening
Sockets, Saving the
Router Configuration,
Reviewing the Routing
Table, Checking
Interface
Configurations, Viewing
the ARP Cache
Writing computer forensic R-1 AV-12 What Is an Expert Student shall learn to Discussion
reports(What is a computer Report?, Report Goals, write a report for a
forensic report?) Document Investigative forensic analysis
Steps Immediately and
Clearly, Know the Goals
of Your Analysis,
Organize Your Report,
Follow a Template, Use
Consistent Identifiers,
Use Attachments and
Appendices, Have Co-
workers Read Your
Reports, Use MD5
Hashes, Include
Metadata
Week 14 Lecture 27 Writing computer forensic R-1 AV-12 What Is an Expert Student shall learn to Discussion
reports(Report writing Report?, Report Goals, write a report for a
guidelines) Document Investigative forensic analysis
Steps Immediately and
Clearly, Know the Goals
of Your Analysis,
Organize Your Report,
Follow a Template, Use
Consistent Identifiers,
Use Attachments and
Appendices, Have Co-
workers Read Your
Reports, Use MD5
Hashes, Include
Metadata
Writing computer forensic R-1 Executive Summary, Student shall learn to Discussion
reports(A template for Objectives, Computer write a report for a
computer forensic reports) Evidence Analyzed, forensic analysis
Relevant Findings,
Supporting Details,
Investigative Leads,
Additional Report
Subsections,
SPILL OVER
Lecture 30 Spill Over
Scheme for CA:
CA Category of this Course Code is:A0203 (2 best out of 3)
Component Weightage (%) Mapped CO(s)

Test 1 50 CO1, CO2
Test 2 50 CO3, CO4
Test 3 50 CO5, CO6
Details of Academic Task(s)
Academic Task Objective Detail of Academic Task Nature of Academic Academic Task Marks Allottment /
Task Mode submission
(group/individuals) Week
Test 1 To evaluate the Test 1 will comprise of the course content till Lecture 6. The Individual Offline 30 3/5
subject knowledge students will be evaluated on the basis of:
of each student i) Two subjective questions of 5 marks each
ii) Two subjective questions of 10 marks each
Test 2 To evaluate the Test 2 will comprise of the course content till Lecture 19. The Individual Offline 30 7/9
subject knowledge students will be evaluated on the basis of:
of each student i) Two subjective questions of 5 marks each
ii) Two subjective questions of 10 marks each
Test 3 To evaluate the Test 3 will comprise of the course content till Lecture 24. The Individual Online 30 11 / 13
subject knowledge students will be evaluated on the basis of 30 MCQs. Negative
of each student marking of 25% for each wrong answer will be applicable
MOOCs/ Certification etc. mapped with the Academic Task(s)
Academic Task Name Of Certification/Online Course/Test/Competition mapped Type Offered By Organisation
Test 1 COMPUTER HACKING AND FORENSICS MOOCs CYBRARY
Test 1 COMPUTER HACKING FORENSIC INVESTIGATOR Industry Certification EC-COUNCIL
Test 3 CYBER INCIDENT RESPONSE SPECIALIZATION MOOCs COURSERA
Where MOOCs/ Certification etc. are mapped with Academic Tasks:

1. Students have choice to appear for Academic Task or MOOCs etc.
2. The student may appear for both, In this case best obtained marks will be considered.
List of suggested topics for term paper[at least 15] (Student to spend about 15 hrs on any one specified term paper)
Sr. No. Topic

1 NA
Detailed Plan For Practicals
Practical No Broad topic Subtopic Other Readings Learning Outcomes

Practical 1 Network Evidence Collection Network evidence collection and AV-9 Student should be able to understand the process of
analysis of captured packet with the Network evidence
help of tcpdump collection.
Practical 2 Network Evidence Collection nmap AV-9 Student should be able to understand the process of
Network evidence
collection.
Practical 3 Network Evidence Collection RawCap and Wireshark. AV-9 Student should be able to understand the process of
Network evidence
collection.
Practical 4 Acquiring Host Based Evidence Local volatile and non-volatile Student should be able to understand the process of
acquisition and memory acquisition host based evidence
with the help FTK imager and acquisition
WinPmem
Practical 5 Understanding Forensic Imaging Demonstration of Dead Imaging and AV-7 Student should be able to understand the process of
Live Imaging with help of FTK imaging
Imager and EnCase.
Practical 6 Network-Evidence Analysis Analysis of packet information and AV-7 Student should be able to understand the process of
gaining overall sense of traffic evidence analysis
contained within a packet capture with
the help of Wireshark
Practical 7 Network-Evidence Analysis Xplico and CapAnalysis. AV-7 Student should be able to understand the process of
evidence analysis
Practical 8 Network Log Analysis Analyzing network log files with help AV-9 Student should be able to understand the process
of DNS Blacklists and ELK Stacks. Network log analysis
Practical 9 Analyzing System Memory Reviewing the images of memory with Student should be able to understand the process of
the help of Mandiant Redline. system memory analysis
Practical 10 Volatility Performing the analysis of memory Student should be able to understand the process of
images with the help of opensource using Volatility
advanced memory framework
forensics framework.
Practical 11 Analyzing System Storage Demonstration of timeline analysis Student should be able to understand the process of
system storage analysis
Analyzing System Storage keyword searching Student should be able to understand the process of
system storage analysis
Practical 12 Analyzing System Storage and web and email artifacts and to Student should be able to understand the process of
filter results on known bad file hashes system storage analysis
using Autopsy.
SPILL OVER
Practical 1 Spill Over

Int250 - Digital Evidence Analysis 1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Int250 - Digital Evidence Analysis 1

Uploaded by

Copyright:

Available Formats

Lovely Professional University, Punjab

Course Outcomes :Through this course students should be able to

CO1 :: describe the fundamentals of incident response handling process.

Audio Visual Aids ( AV )

LTP week distribution: (LTP Weeks)

Detailed Plan For Lectures

Acquiring host-based T-1 Preparation, Evidence Student shall learn to Discussion

Investigating routers R-1 Establishing a Router Student shall learn Practical

Scheme for CA:

CA Category of this Course Code is:A0203 (2 best out of 3)

Component Weightage (%) Mapped CO(s)

Details of Academic Task(s)

Where MOOCs/ Certification etc. are mapped with Academic Tasks:

Sr. No. Topic

Detailed Plan For Practicals

Practical No Broad topic Subtopic Other Readings Learning Outcomes

You might also like